xref: /openbsd/regress/sbin/iked/live/Makefile (revision 73471bf0) 
1#	$OpenBSD: Makefile,v 1.33 2021/12/07 17:26:14 tobhe Exp $
2
3# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
4#
5# Permission to use, copy, modify, and distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
17REGRESS_SETUP_ONCE =	setup
18REGRESS_CLEANUP =	cleanup
19CLEANFILES =		*.conf *.cnf *.csr *.key *.crt *.srl
20
21LEFT_SSH ?=
22RIGHT_SSH ?=
23LEFT_ADDR ?=
24RIGHT_ADDR ?=
25
26.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR)
27regress:
28	@echo this test needs two remote machines to operate
29	@echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined
30	@echo SKIPPED
31.endif
32
33TEST_FLOWS = \
34	[ -z $$tmode ] && tmode=tunnel; \
35	_ret=1; \
36	count=0; \
37	dynamic=${RIGHT_ADDR}; \
38	if [ -n "$$config_address" ]; then \
39		dynamic="172.16.13.[0-9]+"; \
40	fi; \
41	[ -z "$$maxwait" ] && maxwait=3; \
42	while [[ $$count -le $$maxwait ]]; do \
43		ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
44		ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
45		flowleft=`echo "$$ipsecctlleft" \
46		    | sed -E -n "/^flow $$flowtype in from $$dynamic\
47		    to ${LEFT_ADDR} peer ${RIGHT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
48		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
49		flowright=`echo "$$ipsecctlright" \
50		    | sed -E -n "/^flow $$flowtype in from ${LEFT_ADDR}\
51		    to $$dynamic peer ${LEFT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
52		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
53		saleft_rtol=`echo "$$ipsecctlleft" \
54		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
55		saleft_ltor=`echo "$$ipsecctlleft" \
56		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
57		saright_rtol=`echo "$$ipsecctlright" \
58		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
59		saright_ltor=`echo "$$ipsecctlright" \
60		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
61		if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \
62		     -n "$$saright_ltor" && -n "$$saright_rtol" && \
63		     -n "$$flowleft" && -n "$$flowright" ]]; then \
64			 _ret=0; \
65			 break; \
66		fi; \
67		let count=$$count+1; \
68	done; \
69	if [[ "$${_ret}" -ne 0 ]]; then \
70		echo "SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \
71	fi
72
73TEST_PING = \
74	_ret=1; \
75	if [[ "${IPV}" == "6" ]]; then ping="ping6"; else ping="ping"; fi; \
76	dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & \
77	    $$ping -w 1 -n -c 5 ${RIGHT_ADDR} > /dev/null && \
78	    tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; \
79	    kill -9 \\$$! > /dev/null 2>&1 || true"`; \
80	rtol=`echo "$$dump" \
81	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \
82	ltor=`echo "$$dump" \
83	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \
84	if [[ -z "$$rtol" || -z "$$ltor" ]]; then \
85		_ret=1; \
86	else \
87		_ret=0; \
88	fi; \
89	echo "$$dump"
90
91TEST_SINGLEIKESA = \
92	count=`ssh ${LEFT_SSH} "ikectl show sa | grep -c iked_sas"`; \
93	if [[ "$$count" != "1" ]]; then \
94		echo "error: too many IKE SAs."; \
95		exit 1; \
96	fi
97
98SETUP_CONFIG = \
99	from=$$local; \
100	to=$$peer; \
101	if [[ -z "$$mode" ]]; then mode="active"; fi; \
102	authstr=""; \
103	if [[ "$$auth" = "psk" ]]; then \
104		authstr="psk $$psk"; \
105	fi; \
106	ipcomp=""; \
107	if [[ "$$flowtype" = "ipcomp" ]]; then \
108		ipcomp="ipcomp"; \
109	fi; \
110	global=""; \
111	if [ "$$fragmentation" = true ]; then \
112		global="$${global}set fragmentation\n"; \
113	fi; \
114	if [ "$$singleikesa" = true ]; then \
115		global="$${global}set enforcesingleikesa\n"; \
116	fi; \
117	confstr=""; \
118	if [ -n "$$config_address" ]; then \
119		if [ "$$side" = left ]; then \
120			mode=passive; \
121			confstr="config address $$config_address"; \
122			if [[ "$$config_address" == */* ]]; then \
123				to="dynamic"; \
124			else \
125				to="$$config_address"; \
126			fi; \
127		else \
128			mode=active; \
129			confstr="request address any"; \
130			if [[ "$$config_address" == */* ]]; then \
131				from="dynamic"; \
132			else \
133				from="$$config_address"; \
134			fi; \
135		fi; \
136	fi; \
137	echo "MODE=\"$$mode\"" >> $@_$$side.conf; \
138	echo "TMODE=\"$$tmode\"" >> $@_$$side.conf; \
139	echo "FROM=\"$$from\"" >> $@_$$side.conf; \
140	echo "TO=\"$$to\"" >> $@_$$side.conf; \
141	echo "LOCAL_ADDR=\"$$local\"" >> $@_$$side.conf; \
142	echo "PEER_ADDR=\"$$peer\"" >> $@_$$side.conf; \
143	echo "IPCOMP=\"$$ipcomp\"" >> $@_$$side.conf; \
144	echo "SRCID=\"\\\"$$srcid\\\"\"" >> $@_$$side.conf; \
145	echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
146	echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
147	echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
148	echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
149	echo "$$global" >> $@_$$side.conf; \
150	cat ${.CURDIR}/iked.in >> $@_$$side.conf
151
152DEPLOY_CONFIGS = \
153	chmod 0600 $@_left.conf; \
154	echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \
155	chmod 0600 $@_right.conf; \
156	echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH}; \
157	rm -f $@_left.conf $@_right.conf
158
159SETUP_CONFIGS = \
160	if [[ "$$auth" = "psk" ]]; then \
161		psk=`openssl rand -hex 20`; \
162	fi; \
163	side=left; \
164	srcid=$$leftid; \
165	local=${LEFT_ADDR}; \
166	peer=${RIGHT_ADDR}; \
167	    ${SETUP_CONFIG}; \
168	side=right; \
169	srcid=$$rightid; \
170	local=${RIGHT_ADDR}; \
171	peer=${LEFT_ADDR}; \
172	    ${SETUP_CONFIG}; \
173	${DEPLOY_CONFIGS}
174
175SETUP_SYSCTL = \
176	ssh ${LEFT_SSH} "sysctl $$sysctl"; \
177	ssh ${RIGHT_SSH} "sysctl $$sysctl"
178
179SETUP_START = \
180	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \
181	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"
182
183SETUP_RELOAD_RIGHT = \
184	ssh ${RIGHT_SSH} "ikectl reload"
185
186SETUP_CERT = \
187	echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
188	cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
189	openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \
190	    -out $$name-from-$$caname.csr; \
191	openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \
192	     -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
193	     -CAcreateserial -out $$name-from-$$caname.crt
194
195SETUP_CA = \
196	openssl genrsa -out $$caname.key 2048; \
197	openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \
198	     -new -x509 -key $$caname.key -out $$caname.crt
199
200cleanup:
201	-ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
202	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
203	    sysctl "net.inet.esp.udpencap_port=4500"; \
204	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
205	-ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
206	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
207	    sysctl "net.inet.esp.udpencap_port=4500"; \
208	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
209
210setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \
211    right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt \
212    ca-none.crt left-from-ca-none.crt right-from-ca-none.crt
213	echo "cd /etc/iked\n \
214	    put left-from-ca-both.crt certs\n \
215	    put left-from-ca-right.crt certs\n \
216	    put left-from-ca-none.crt certs\n \
217	    put right-from-ca-none.crt certs\n \
218	    put left.key private/local.key\n \
219	    put ca-left.crt ca\n \
220	    put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \
221	echo "cd /etc/iked\n \
222	    put right-from-ca-both.crt certs\n \
223	    put right-from-ca-left.crt certs\n \
224	    put right-from-ca-none.crt certs\n \
225	    put left-from-ca-none.crt certs\n \
226	    put right.key private/local.key\n \
227	    put ca-right.crt ca\n \
228	    put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \
229	ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \
230	ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"
231
232setup_pf: pf.in
233	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${LEFT_SSH}
234	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${RIGHT_SSH}
235	-ssh ${LEFT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
236	-ssh ${RIGHT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
237
238setup: setup_pf setup_certs
239
240.PHONY: setup_certs
241
242test_flows:
243	${TEST_FLOWS}
244
245left.key right.key:
246	openssl genrsa -out $@ 2048
247
248ca-both.crt ca-both.key:
249	caname=ca-both; ${SETUP_CA}
250
251left-from-ca-both.crt: ca-both.crt ca-both.key left.key
252	caname=ca-both; name=left; ${SETUP_CERT}
253
254right-from-ca-both.crt: ca-both.crt ca-both.key right.key
255	caname=ca-both; name=right; ${SETUP_CERT}
256
257ca-left.crt ca-left.key:
258	caname=ca-left; ${SETUP_CA}
259
260right-from-ca-left.crt right.key: ca-left.crt ca-left.key
261	caname=ca-left; name=right; ${SETUP_CERT}
262
263ca-right.crt ca-right.key:
264	caname=ca-right; ${SETUP_CA}
265
266left-from-ca-right.crt left.key: ca-right.crt ca-right.key
267	caname=ca-right; name=left; ${SETUP_CERT}
268
269ca-none.crt ca-none.key:
270	caname=ca-none; ${SETUP_CA}
271
272left-from-ca-none.crt left.key: ca-none.crt ca-none.key
273	caname=ca-none; name=left; ${SETUP_CERT}
274
275right-from-ca-none.crt right.key: ca-none.crt ca-none.key
276	caname=ca-none; name=right; ${SETUP_CERT}
277
278REGRESS_TARGETS = run-ping-fail
279run-ping-fail:
280	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true"
281	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked || true"
282	${TEST_PING}; \
283	if [[ $$_ret -ne 1 ]]; then exit 1; fi
284
285REGRESS_TARGETS += run-cert-single-ca
286run-cert-single-ca:
287	leftid=left-from-ca-both; \
288	rightid=right-from-ca-both; \
289	    ${SETUP_CONFIGS}
290	${SETUP_START}
291	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
292	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
293
294REGRESS_TARGETS += run-cert-single-ca-asn1dn
295run-cert-single-ca-asn1dn:
296	leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; \
297	rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; \
298	    ${SETUP_CONFIGS}
299	${SETUP_START}
300	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
301	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
302
303REGRESS_TARGETS += run-cert-no-ca
304run-cert-no-ca:
305	leftid=left-from-ca-none; \
306	rightid=right-from-ca-none; \
307	    ${SETUP_CONFIGS}
308	${SETUP_START}
309	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
310	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
311
312REGRESS_TARGETS += run-config-address
313run-config-address:
314	flowtype=esp; \
315	config_address=172.16.13.36; \
316	leftid=left-from-ca-both; \
317	rightid=right-from-ca-both; \
318	    ${SETUP_CONFIGS}
319	${SETUP_START}
320	config_address=172.16.13.36; \
321	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
322
323REGRESS_TARGETS += run-config-address-pool
324run-config-address-pool:
325	flowtype=esp; \
326	config_address=172.16.13.36/31; \
327	leftid=left-from-ca-both; \
328	rightid=right-from-ca-both; \
329	    ${SETUP_CONFIGS}
330	${SETUP_START}
331	config_address=172.16.13.36/31; \
332	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
333
334REGRESS_TARGETS += run-dstid-fail
335run-dstid-fail:
336	leftid=left-from-ca-both; \
337	rightid=right-from-ca-both; \
338	    side=left; \
339	    srcid=$$leftid; \
340	    local=${LEFT_ADDR}; \
341	    peer=${RIGHT_ADDR}; \
342	    ${SETUP_CONFIG}; \
343	    side=right; \
344	    mode=passive; \
345	    srcid=$$rightid; \
346	    local=${RIGHT_ADDR}; \
347	    peer=${LEFT_ADDR}; \
348	    dstid="dstid invalid"; \
349	    ${SETUP_CONFIG}; \
350	    ${DEPLOY_CONFIGS}
351	${SETUP_START}
352	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
353	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
354
355REGRESS_TARGETS += run-dstid
356run-dstid:
357	flowtype=esp; \
358	leftid=left-from-ca-both; \
359	rightid=right-from-ca-both; \
360	    side=left; \
361	    srcid=$$leftid; \
362	    local=${LEFT_ADDR}; \
363	    peer=${RIGHT_ADDR}; \
364	    dstid="dstid $$rightid"; \
365	    ${SETUP_CONFIG}; \
366	    side=right; \
367	    srcid=$$rightid; \
368	    local=${RIGHT_ADDR}; \
369	    peer=${LEFT_ADDR}; \
370	    dstid="dstid $$leftid"; \
371	    ${SETUP_CONFIG}; \
372	    ${DEPLOY_CONFIGS}
373	${SETUP_START}
374	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
375	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
376
377REGRESS_TARGETS += run-dstid-multi
378run-dstid-multi:
379	flowtype=esp; \
380	leftid=left-from-ca-both; \
381	rightid=right-from-ca-both; \
382	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
383	    dstid="dstid $$rightid"; \
384	    ${SETUP_CONFIG}; \
385	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
386	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
387	    ${SETUP_CONFIG}; \
388	    dstid="dstid roflol"; \
389	    ${SETUP_CONFIG}; \
390	    ${DEPLOY_CONFIGS}
391	${SETUP_START}
392	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
393	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
394
395REGRESS_TARGETS += run-srcid-multi
396run-srcid-multi:
397	flowtype=esp; \
398	leftid=left-from-ca-both; \
399	rightid=right-from-ca-both; \
400	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
401	    dstid="dstid $$rightid"; \
402	    ${SETUP_CONFIG}; \
403	    side=right; mode=passive; srcid="borked"; local=${RIGHT_ADDR}; \
404	    peer=${LEFT_ADDR}; dstid=""; \
405	    ${SETUP_CONFIG}; \
406	    srcid=$$rightid; \
407	    ${SETUP_CONFIG}; \
408	    srcid="roflol"; \
409	    ${SETUP_CONFIG}; \
410	    ${DEPLOY_CONFIGS}
411	${SETUP_START}
412	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
413	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
414
415REGRESS_TARGETS += run-cert-multi-ca
416run-cert-multi-ca:
417	flowtype=esp; \
418	leftid=left-from-ca-right; \
419	rightid=right-from-ca-left; \
420	    ${SETUP_CONFIGS}
421	${SETUP_START}
422	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
423	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
424
425REGRESS_TARGETS += run-cert-second-altname
426run-cert-second-altname:
427	flowtype=esp; \
428	leftid=left-from-ca-both-alternative; \
429	rightid=right-from-ca-both@openbsd.org; \
430	    ${SETUP_CONFIGS}
431	${SETUP_START}
432	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
433	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
434
435REGRESS_TARGETS += run-invalid-ke
436run-invalid-ke:
437	flowtype=esp; \
438	leftid=left-from-ca-both; \
439	rightid=right-from-ca-both; \
440	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
441	    dstid="dstid $$rightid"; \
442	    ikesa="ikesa group ecp256 group curve25519"; \
443	    ${SETUP_CONFIG}; \
444	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
445	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
446	    ikesa="ikesa group curve25519"; \
447	    ${SETUP_CONFIG}; \
448	    ${DEPLOY_CONFIGS}
449	${SETUP_START}
450	flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
451	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
452
453REGRESS_TARGETS += run-psk-fail
454run-psk-fail:
455	auth=psk; \
456	leftid=left-from-ca-both; \
457	rightid=right-from-ca-both; \
458	flowtype=esp; \
459	    side=left; \
460	    srcid=$$leftid; \
461	    local=${LEFT_ADDR}; \
462	    peer=${RIGHT_ADDR}; \
463	    dstid="dstid $$rightid"; \
464	    psk=`openssl rand -hex 20`; \
465	    ${SETUP_CONFIG}; \
466	    side=right; \
467	    srcid=$$rightid; \
468	    local=${RIGHT_ADDR}; \
469	    peer=${LEFT_ADDR}; \
470	    dstid="dstid $$leftid"; \
471	    psk=`openssl rand -hex 20`; \
472	    ${SETUP_CONFIG}; \
473	    ${DEPLOY_CONFIGS}
474	${SETUP_START}
475	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
476	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
477
478REGRESS_TARGETS += run-psk
479run-psk:
480	auth=psk; \
481	leftid=left; \
482	rightid=right; \
483	flowtype=esp; \
484	    ${SETUP_CONFIGS}
485	${SETUP_START}
486	flowtype=esp; ${TEST_FLOWS}; \
487	if [[ $$_ret -ne 0 ]]; then exit 1; fi
488	${TEST_PING}; \
489	if [[ $$_ret -ne 0 ]]; then exit 1; fi
490
491REGRESS_TARGETS += run-fragmentation
492run-fragmentation:
493	flowtype=esp; \
494	fragmentation=true; \
495	leftid=left-from-ca-both; \
496	rightid=right-from-ca-both; \
497	    ${SETUP_CONFIGS}
498	${SETUP_START}
499	flowtype=esp; ${TEST_FLOWS}; \
500	if [[ $$_ret -ne 0 ]]; then exit 1; fi
501	${TEST_PING}; \
502	if [[ $$_ret -ne 0 ]]; then exit 1; fi
503
504REGRESS_TARGETS += run-transport
505run-transport:
506	flowtype=esp; \
507	tmode=transport; \
508	leftid=left-from-ca-both; \
509	rightid=right-from-ca-both; \
510	    ${SETUP_CONFIGS}
511	${SETUP_START}
512	tmode=transport; flowtype=esp; \
513	    ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
514	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
515
516REGRESS_TARGETS += run-singleikesa
517run-singleikesa:
518	flowtype=esp; \
519	singleikesa=true; \
520	leftid=left-from-ca-both; \
521	rightid=right-from-ca-both; \
522	    ${SETUP_CONFIGS}
523	${SETUP_START}
524	sleep 1; ${SETUP_RELOAD_RIGHT}; \
525	sleep 3; ${TEST_SINGLEIKESA}
526
527REGRESS_TARGETS += run-ipcomp
528run-ipcomp:
529	flowtype=ipcomp; \
530	leftid=left-from-ca-both; \
531	rightid=right-from-ca-both; \
532	    ${SETUP_CONFIGS}
533	sysctl="net.inet.ipcomp.enable=1"; \
534	    ${SETUP_SYSCTL}
535	${SETUP_START}
536	flowtype=ipcomp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
537	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
538
539REGRESS_TARGETS += run-udpencap-port
540run-udpencap-port:
541	flowtype=esp; \
542	leftid=left-from-ca-both; \
543	rightid=right-from-ca-both; \
544	    ${SETUP_CONFIGS}; \
545	sysctl="net.inet.esp.udpencap_port=9999"; \
546	    ${SETUP_SYSCTL};
547	iked_flags=-p9999; \
548	    ${SETUP_START};
549	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
550	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
551	sysctl="net.inet.esp.udpencap_port=4500"; \
552	    ${SETUP_SYSCTL};
553
554.include <bsd.regress.mk>
555